Enable WDigest using PowerShell (ps_module)
Rule to detect registry modifications to enable WDigest using powershell script modules.
Sigma rule (View on GitHub)
1title: Enable WDigest using PowerShell (ps_module)
2id: c677394a-1e3e-4ab5-a6a8-295bf0b71137
3description: Rule to detect registry modifications to enable WDigest using powershell script modules.
4status: experimental
5date: 2022/06/05
6author: The DFIR Report
7references:
8 - https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/
9tags:
10 - attack.defense_evasion
11 - attack.t1112
12logsource:
13 product: windows
14 category: ps_module
15 definition: PowerShell Module Logging must be enabled
16detection:
17 selection_4103:
18 Payload|contains|all:
19 - 'Set-ItemProperty'
20 - 'UseLogonCredential'
21 - 'WDigest'
22 - 'Value'
23 - '1'
24 condition: selection_4103
25falsepositives:
26 - Admin activity
27level: medium
References
-
In this multi-day intrusion, we observed a threat actor gain initial access to an organization by exploiting a vulnerability in ManageEngine SupportCenter Plus.
Read More
Related rules
- ETW Logging Disabled In .NET Processes - Registry
- Disable Security Events Logging Adding Reg Key MiniNt
- RedMimicry Winnti Playbook Registry Manipulation
- Wdigest CredGuard Registry Modification
- Sysmon Channel Reference Deletion